Security threats Toolkit

Cybercriminals get stuck into honeypots

Tags:
E-crime,
Cyber-crime

Tom Espiner ZDNet.co.uk

Published: 04 Apr 2006 16:25 BST

Cybercriminals are increasingly fighting antivirus vendors and each other in pursuit of illegal gain, Kaspersky Lab said on Tuesday.

The antivirus company said that as profits from cybercrime grew during 2005, criminals increasingly tried to prevent antivirus firms from developing protection against the latest threats. Honeypots that collect samples of malware for antivirus companies were a prime target.

Criminals would use legions of zombie computers called botnets to bombard honeypot networks with data to hinder or stop them working, otherwise known as distributed denial of service (DDoS) attacks, according to Kaspersky's Malware Evolution: 2005.

"If the bad guys are aware of a network that looks suspicious because it's too unprotected — to lure bad code — they can take steps like launching DDoS attacks against that honeypot network. They can then launch other attacks simultaneously [against other targets]," said David Emm, senior technology consultant for Kaspersky.

Worms can also be programmed to avoid domains known to be monitored by antivirus companies.

"Criminals will employ whatever evasive techniques they can," said Emm.

Techniques increasingly used by cybercriminals over 2005 included creating their own packing mechanisms to compress malicious code, so that they can try to avoid detection by antivirus software. Malware creators also now routinely include code to either cripple antivirus updating mechanisms on infected machines or remove antivirus software completely, according to Emm.

Cybercriminals are also increasingly targeting each other to maximise financial gain, according to Kaspersky.

"It's like any kind of economic venture. Those that get smarter survive. Organised criminal structures are run as businesses, and they take over smaller guys," said Emm.

Kaspersky also said that cybercriminals often launch DDoS attacks against rivals to stop them from operating, and attempt to hijack each other's botnets. They also program their malware to attempt to disable any other malware that has already been installed on an infected PC.

"Criminals have realised that it is much simpler to obtain already infected resources than to maintain their own botnets or to spend money on buying parts of botnets which are already in use," Yury Mashevsky, a virus analyst at Kaspersky Labs, said in the report.

"In much the same way criminals attack innocent people, they will attack each other," Emm added.

Kaspersky also reported a five-fold increase in the amount of malware designed to steal financial information over 2005.